Jump to content

funkyres

Members
  • Posts

    34
  • Joined

  • Last visited

    Never

Profile Information

  • Gender
    Not Telling

funkyres's Achievements

Member

Member (2/5)

0

Reputation

  1. I really didn't want to subscribe to a different forum, so hopefully someone here has a clue. This looked like the most appropriate forum - as in no other forum looked appropriate ... Following html code: <div style="float: left;"> <p>Mating Call</p> <audio controls="controls"> <source src="/media/ogg/bullfrog.ogg" type="audio/ogg"/> <object type="application/x-java-applet"> <param name="archive" value="http://theora.org/cortado.jar"/> <param name="code" value="com.fluendo.player.Cortado.class"/> <param name="url" value="/media/ogg/bullfrog.ogg"/> <param name="autoPlay" value="false"/> <p> <a href="/media/ogg/bullfrog.ogg">bullfrog.ogg</a> </p> </object> </audio> </div> Works beautifully, uses java cortado player as fallback - BUT asks user to accept sig first. Solution is to host a local cortado.jar file, so that everything on same server. However, when I try that, it doesn't work - and there are 404 errors in apache log for /herps/com - so it looks like using a local copy of the jar results in the client looking for stuff other than just the jar file. Other than the archive parameter value, what else do I need to do so that java works with a locally hosted copy of the jar file? It seems every freaking web page that discusses embedding java talks about using applet and/or embed which I just plain am NOT allowed to use, I HAVE to use W3C compliant tags which means object (audio/video/source are only exceptions).
  2. Got it figured out - element.addEventListener('click',function (){spyOnUser(somearg)},false)
  3. I'm not terribly familiar with the js. I figured out how to add an event handler - IE element.addEventListener('click',spyOnUser,false) (cute example from http://www.quirksmode.org/js/events_advanced.html) but for the life of me I can't figure out how to use a function with an argument. element.addEventListener('click',spyOnUser(somearg),false) seems to fail. Error: uncaught exception: [Exception... "Could not convert JavaScript argument" nsresult: "0x80570009 (NS_ERROR_XPC_BAD_CONVERT_JS)" location: "JS frame :: http://devel.clfsrpm.net/blogDevel/bbeditor/edtest.js :: AttachEvent :: line 31" data: no] How do I do that?
  4. I'm looking for a good class that either properly converts html to bbcode (MUST be configurable) or a class that can fix improper bbcode markup. Going from bbcode to clean html I don't have a problem with, the only issue is I want to store the data as bbcode in database, but want to clean it up first (either with a bbcode equiv of tidy or something that will let me convert html that has been titied back to bbcode) Any suggestions, or am I stuck trying to write my own?
  5. I definitely need to learn more about lookaheads and lookbehinds - seems every time I try to use one, there can't be a variable length expression before or after it. Either it is severely limited in current implementation or I'm doing it wrong.
  6. This seems to work - $forbidden[] = '/<!\[CDATA\[.*\]\]>/s'; $sanitized[] = '<!-- cdata section removed -->'; though I still want to know how make a pattern that says "match unless it has this particular multi-character phrase in it" I can't seem to find a way to do it via google, all (and I mean all) the regex tutorials seem to silently ignore it, but it can't be that uncommon of a thing to want to do.
  7. I'm using the following as part of a filter - <?php $forbidden[] = '/<!\[CDATA\[[^(\]\]>)]*\]\]>/'; $sanitized[] = '<!-- cdata section removed -->'; // then processed via return preg_replace($forbidden, $sanitized, $buffer); ?> It works so long as there is not a ] or > anywhere in the the cdata. Since ]]> is illegal in a cdata block I want to match any cdata that is NOT the three character string [[> I can't seem to figure out how to get regex to match something that is NOT a particular string. I can get it to match a particular string, or match NOT a particular character, but matching NOT a particular string - I can't seem to figure out the syntax for that. [^(\]\]>)] is my most recent attempt. Anyone know how to do this?
  8. You could print the document to pdf. Or you could translate the document into xml and then use xslt to translate the document into xhtml/html What are you trying to accomplish?
  9. You still don't want to use the sid as the key. Cracker just needs to write a malicious script that downloads form and sends it to him. Cracker e-mail script to thousands of users. Cracker then parses what comes back for session ID's - thus eliminating the need to sniff packets and increasing the potential victim base. That would would work, btw, even if the server was https.
  10. Doh - it's sent over http (from client to server) every time the cookie is read anyway.
  11. The session ID itself is too dangerous to ever send to the client since if intercepted it can be used to forge a cookie to allow login as the user. But an md5 of the session ID + salt would probably be safe. The reason I want it to change though with each form - even though I don't use persistent cookies, session cookies only, a session can be active for quite some time - I know sometimes I have my browser open on my desktop for weeks (I run Linux so rebooting is really only necessary with a kernel update, I use noscript so pages that do obscene things w/ js and flash that cause firefox to crash rarely impact me). Every time a user requests a page, the clock for when their session expires server side is reset, so it is conceivable that a session could last for quite some time.
  12. The problem with using sessions is that with this application, it is certainly conceivable that one might have numerous forms open at the same time. I will when using the site. So either I need to have the same key for the duration of a session or use the database so I can have multiple keys that expire as soon as a they are used in a submit.
  13. The per form method is working extremely well. Here's the sql table - CREATE TABLE csrf ( id MEDIUMINT unsigned NOT NULL AUTO_INCREMENT, sid varchar(32) NOT NULL, mykey varchar(32) NOT NULL, PRIMARY KEY (id) ); Here are the two php functions - first sets the key, second checks the key that was passed on post: <?php function csrfkey($sid) { $random = md5(microtime() . $sid . rand()); $sql = "INSERT INTO csrf (sid,mykey) VALUES ('$sid','$random')"; mysql_query($sql); return($random); } function checkcsrf($sid,$mykey) { $sql = "SELECT id FROM csrf WHERE sid='$sid' AND mykey='$mykey'"; $result = mysql_query($sql); while ($somevar = mysql_fetch_object($result)) { $valid = $somevar->id; } if (! isset($valid)) { return false; } else { $sql = "DELETE FROM csrf WHERE id=$valid"; mysql_query($sql); return true; } } ?> I think that should do it, unless anyone more experienced than me has other advice.
  14. I suppose an even safer way to do it would be to generate the key when the form is created and put in a database with the session id, and check the key + session id pair on form submit - deleting the pair on submit and run some kind of garbage collection that deletes pairs from expired sessions. That would pretty much eliminate the cracker targeting a specific user and snooping the network to try and catch a valid key.
  15. Howdy - as I'm getting closer to having my web app finished, I realized I had nothing for CSRF prevention. My admittedly limited understanding of CSRF is that the attacker forges a form submit and tricks a legitimate user into running it. Thus if the user has a valid session ID in their browser cookie, the server gets the post, reads the cookie, and trusts that the post is legitimate. So - this is what I'm doing to try and mitigate it. I modified my php sessions class (database driven) to add a CHAR(32) field. When a session is created, md5(microtime() . rand()); is inserted into that field. Forms then have that value as a hidden input, and when a form is submitted, the input value is checked against what it is the database for the users session ID. If it doesn't match, a redirect header is sent and the script die(); If a cracker is targeting a specific user, he may be able to intercept the key that is specific to the users session by snooping the traffic (user login/prefs is over ssl but nothing else is) but since I only use session cookies - the cracker would have to sniff the key during the users existing session or he won't be able to forge a form that would validate. If a cracker is not targeting a specific user, it's not an issue. I went ahead and tried it myself - and it seems to work. I don't want to rely on any of the referrer globals because those can be forged and some users for privacy reasons disable them. Anyway, does my scheme work or are there other measures I should take?
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.